Finally, configure iptables to block any address in that set. This command will add a rule to the top of the "INPUT" chain to "-m" match the set named "myset" from ipset (--match-set) when it's a "src" packet and "DROP", or block, it.

# iptables -I INPUT -m set --match-set myset src -j DROP

Blocking a list of IP addresses

Start by creating a new "set" of ip addresses. This creates a new "hash" set of "ip" addresses named "myset-ip".

Blocking With PeerGuardian and Other Blocklists

The pg2ipset-gitAUR tool by the author of Maeyanie.com, coupled with the ipset-update.sh script can be used with cron to automatically update various blocklists. Currently, by default, blocking of: country, tor exit node and Bluetrack pg2 list are implemented.

Other Commands

To view the sets:

# ipset list

or

# ipset -L

To delete a set named "myset":

# ipset destroy myset

or

# ipset -X myset

To delete all sets:

# ipset destroy

Please see the man page for ipset for further information.

Optimization

The iprangeAUR tool can help to reduce entries in ipset.conf by merging adjacent ranges or eliminating overlapped ranges. This can improve the router/firewall performance if the table size is huge. This tool can also convert a list of hostnames to IPs.